<?php
/** 

一个用于PHP脚本漏洞的静态源代码分析器
作者:约翰内斯·达斯
版权(C) 2012 Johannes Dahse
本程序为自由软件;
您可以根据自由软件基金会发布的GNU通用公共许可证条款重新发布和/或修改它;
许可的版本3，或者(由您选择)任何以后的版本。
这个程序是希望它会有用，但没有任何保证;
甚至没有对适销性或适合特定用途的隐含保证。
有关更多细节，请参阅GNU通用公共许可证。
您应该已经收到一份GNU通用公共许可证的副本，连同本程序;
如果没有，请查看<http://www.gnu.org/licenses/>
 **/

if(!empty($_GET['file']))
{
	$file = $_GET['file'];
?>

<div style="padding: 20px; width: 400px">
	
<div style='width: 300px'>
	#!/usr/bin/php -f<br>
	&lt;?php<br>
	#<br>
	# <?php echo htmlentities(basename($file), ENT_QUOTES, 'utf-8'); ?> curl exploit<br>
	#<br><br>
</div>

<div id="exploitbuild">
<div class="exploitbox">
	<div class="exploittitlebox">
		<div class="exploittitle">general settings:</div>
		<div style="clear: left;"></div>
	</div>

	<div class="exploitcontentbox">
	<table class="textcolor">
	<tr>
		<td>URL:</td>
		<td><input type="text" size="40" id="target" name="target" value="http://$target/<?php echo htmlentities(basename($file), ENT_QUOTES, 'utf-8'); ?>" /></td>
	</tr>
	<tr>
		<td>COOKIEJAR:</td>
		<td><input type="text" id="cookiejar" name="cookiejar" value="/tmp/cookie_$target" /></td>
	</tr>
	<tr>
		<td>Max Exec Time:</td>
		<td><input type="text" id="exectime" size=2 name="exectime" value="3" /> (s)</td>
	</tr>
	<tr>
		<td>SSL: <input type="checkbox" id="ssl" name="ssl" value="1" onChange="setssl()" /></td>
		<td>BasicAuth: <input type="checkbox" id="auth" name="auth" value="1" /></td>
	</tr>
	</table>
	</div>
</div>

<?php
	
	function creatediv($method, $name)
	{
		if(!empty($method))
		{
			$method = htmlentities($method, ENT_QUOTES, 'utf-8');
?>		

<div id="<?php echo $name.'box'; ?>" class="exploitbox">
	<div class="exploittitlebox">
		<div class="exploittitle"><?php echo $name ?> parameter:</div>
		<input type="button" class="closebutton" style="position:relative;top:4px;right:5px;" value="x" onClick="deleteMethod('<?php echo $name; ?>')" />
		<div style="clear: left;"></div>
	</div>

	<div class="exploitcontentbox">
	<form id="<?php echo $name; ?>">
		<table class="textcolor" cellspacing=0px cellpadding=2px>
<?php		
			$params =  explode(',', $method);
			foreach($params as $param)
			{
				if($name != '$_SERVER' || ($name == '$_SERVER' && substr($param,0,4) == 'HTTP'))
				{
					$param = htmlentities($param, ENT_QUOTES, 'utf-8');
					if($param == '*') $param = 'foobar';
					echo "\n<tr><td>$param:</td>\n",
					"\t<td><input type='text' name='$param' value=''></td>\n",
					'</tr>';
				} else
				{
					echo "\n<tr><td colspan='2'>You can taint \$_SERVER['$param'] by editing the target URL.</td></tr>\n";
				}
			}
?>
		</table>
	</form>
	</div>	
</div>	
<?php			
		}
	}
	
	if(isset($_GET['get'])) creatediv($_GET['get'], '$_GET');
	if(isset($_GET['post'])) creatediv($_GET['post'], '$_POST');
	if(isset($_GET['cookie'])) creatediv($_GET['cookie'], '$_COOKIE');
	if(isset($_GET['files'])) creatediv($_GET['files'], '$_FILES');
	if(isset($_GET['server'])) creatediv($_GET['server'], '$_SERVER');

	
?>
	
	<input type="button" class="Button" value="create" onClick="createExploit()" />&nbsp;
	<br /><br />
</div>	

<div id="exploitcode" style="display:none;"></div>
	?>
</div>	
<?php
} else
{
	echo 'No file loaded';
}

?>